Unixwiz.net - Software Consulting Central

"No Dashes Or Spaces" Hall of Shame

Though I have a tolerably good handle on e-commerce software, I've
not written much of it myself. In this respect, I'm not one to
know what's going on under the hood at any given site: maybe there
is a reason why something works the odd way it does.

But I've observed one technique that has been nearly universal: the practice
of refusing to allow spaces or dashes in credit card number entry fields
(this example from The Teaching Company):

Credit card numbers are always printed and read aloud in groups
of (usually) four digits, and when verifying a number after entry
(which involves looking back and forth between the card and the
web form) one uses the spacing to resynchronize.

If there were some security or integrity reason for disallowing these
characters, I guess I'd buy it, but I've not found a single good reason
for it. The consensus among those that I've spoken to is that it's
nothing but lazy, sloppy programming. I completely agree.

It turns out that sometimes one can clean up the spaces and dashes in
the same amount of code as the instruction not to (this example in perl):

$ccnum =~ s/[-\s]//g; # (No dashes or spaces)

Credit card validation should never be done exclusively on the client
side, and since the server does it anyway, I just can't find any good
reason for this sloppy practice. Those who believe otherwise are very
much encouraged to contact me with the reasoning.

Some sites cleverly avoid the "no spaces or dashes" shame by limiting
the credit card entry to 16 characters: this has the same effect. It's
just lame.

The shameful

This is the list of websites we've been collecting since mid-2003,
and new entries are added at the top. We invite submissions from
others, though only those which can be verified will be added.
Likewise, those who've cleaned up their acts will be noted here
as well.

Sendgrid
When entering a space in the credit card number, the next page shows this
error message with no clue as to the reason. This is probably the worst possible
way to handle this.
— added 2014/06/26

Chevron/Texaco Gas Card
Entering a payment date requires a two-digit month and day; 3/11/2009
fails validation. This is the second entry for Chevron; a more traditional
no-dashes-or-spaces entry is below.
— added 2009/03/10

LogMeIn Rescue
Not quite sure what to make of this: a popup that says
no dashes spaces, but it removes them automatically
and lets us continue without having to retype everything.
This seems unnecessary — why not just remove them
automatically after submission — but at least
they're trying to be helpful.
— added 2006/09/29

ITC Fonts The field has plenty of room, but fails with spaces.
— added 2005/01/19First entry for 2005!

Harry & David The field has room for plenty of characters, but it fails
unless the spaces are removed.
— added 2004/12/15Confirmed 2005/11/06Confirmed 2006/11/05

Updated November 2005 to include:

Audible.com
The field has room for plenty of characters, but it fails
unless the spaces are removed.
— added 2004/09/13

Walgreen's The field has room for plenty of characters, but it fails
unless the spaces are removed.
— added 2004/08/19

Apple Store 16-character limit is the same as "no spaces or dashes"
— added 2004/08/13

Cheryl & Co They make great mailorder cookies, but this silly
popup took more to code than it would have been to just
ignore the spaces or dashes. And the code that does checksum
validation on the credit card number itself explicitly
ignores non-digits anyway! Very lame.
— added 2004/08/06

TurboTax Software
Not allowing dollar signs or commas in money is not that big of an
infraction as it is for credit card numbers and formatting, because
we're accustomed to doing without, but it's not that hard to get
right.
— added 2004/02/16 (thanks Jeffrey)

Vanguard Group
The same logic applies to Social Security Account Numbers as it does
to credit card numbers.
— added 2004/02/09 (thanks Jeffrey)

Quicken 2003 Software
There is a field that allows plenty of room for spaces or dashes,
but when trying to do an "online banking update" with First USA bank,
it fails with an error code that is not elaborated on. It took a 20 minute
phone call with First USA support - three different techs - before
the guy asked if I had spaces or dashes in the field. AARGH.

I don't know if this is a Quicken issue or a First USA one. AARGH.
— added 2004/02/06

— added 2003/08/31 (thanks Techie2000)
Fixed: (as of Feb 2005) - Since Palm merged with Handspring,
they have combined into PalmOne.com, and the store here do
the right things with credit card numbers now.